From stollman.j at gmail.com Sat Feb 9 11:53:20 2008 From: stollman.j at gmail.com (j stollman) Date: Sat, 9 Feb 2008 14:53:20 -0500 Subject: [Sig-ia] the need for international support Message-ID: At the Identity Assurance SIG meeting in Washington last week, I emphasized the need to internationalize the current "framework" prior to publishing a final version. There seemed to be some general assent and an acknowledgment that the current document was US-centric. There were also some veterans in the group who expressed the concern that we would be unlikely to obtain buy-in from non-US entities (both government and commercial) and that attempting to do so would substantially set back publication of the framework. There was also a widely held view that it is important to publish the framework quickly. I believe that the reasons for this pressure to publish include: 1. Putting Liberty on the map in the area of identity assurance before our efforts are preempted by another organization -- or worse -- by a single-entity product that gains traction. The concern is that either of these options would set back the standards process. 2. Proving to its member sponsors that Liberty is productive, and not just a debate club into which they are pouring time and money. 3. Allowing Liberty to be a leader rather than a follower, so that the standards that do evolve interoperate with the activities of Liberty's other SIGs. 4. Many members -- veterans of EAP -- have made major investments of their time and energy and are anxious to see results of their hard labors. 5. The initial publication can always be revised as more feedback is obtained. All of these motivations are valid. But I am fearful that in a rush to win this, our first battle, we may be setting ourselves up to fail in the larger war. The focus of my concern around "losing the war" is the aspect of human nature which tends to resist change imposed from the outside. Those of you who have worked with multi-cultural teams (even within the same enterprise in the same country such as accounting versus marketing) have learned that any process that crosses cultural boundaries will not succeed if it fails to get the buy-in of each of the organizations affected. The second lesson in this area is that buy-in is most easily achieved by involving the other parties at the earliest opportunity. People need to feel that they had a voice in creating the process. This gives them a sense of ownership that is vital to obtaining their buy-in. Buy-in is extremely difficult to obtain when foisted upon another organization as a *fait accompli*. And merely stating a willingness to modify the framework to adapt to requirements received after the fact has a hollow ring to it. Much as we blame "them" for their arrogance in being unwilling to accept our well-conceived draft, it is our arrogance that is responsible for not considering "them" important enough to be included in the early stage of developing our draft. Our own arrogance is exemplified in the comments made about the Spanish six-level identity standard. During the meeting, no one appeared to give any consideration to trying to review the Spanish standard seeking best-of-breed ideas that might well improve our draft. Instead, the focus was on ensuring that the Spanish standards could be mapped to our "better" standard. The presumption seemed to be the the Liberty framework would be the "standard" and others could just map to us. But to elevate our framework to a position that other would even consider mapping to us requires sufficient global acceptance of the framework. I contend that this initial traction requires broad acceptance outside the limited domestic community represented at the SIG meeting. It was also mentioned that in our government's previous attempts to work with the Europeans on standards, the Europeans would never agree to accept our work. But did we really consider theirs? I am not looking to point fingers, but if Liberty's framework fails to gain the buy-in of key countries outside the US, I would consider our work to be a failure. On Liberty's home page, Liberty defines itself as: a first-of-its-kind standards organization with a *global* membership that provides a *holistic* approach to identity. The need for this global, holistic perspective is threefold: 1. Many of the world's largest commercial and government enterprises (the focus of Liberty's efforts) do business with each other across national boundaries. 2. Many of the world's largest enterprises are themselves multinational and desire the economy of one standard for all of their activities 3. Failure to meet the needs of these large enterprises will likely lead to the failure of Liberty's framework in the marketplace. If we fail to gain the buy-in of the multi-national community now, the result may likely be a Liberty "US" standard and, at a minimum, one more standard from Europe. A Betamax vs. VHS standards war is costly. I believe that avoiding such a conflict is part of Liberty's purpose. I, therefore, believe that we need to proactively solicit feedback from outside of our domestic team and demonstrate a true willingness to consider incorporating or even adopting other approaches to forge a best-of-breed framework. Finally, when considering international cooperation, we must acknowledge that this means more than just the UK, France, Germany, Switzerland, and Italy. While I certainly subscribe to the 80/20 rule, we need to consider not only where the major enterprises are headquartered, but where their employees and business partners are located. Besides Japan, this increasingly includes China, India, sourtheast Asia, Eastern Europe, and Latin America. Perhaps Africa can be considered part of the 20% which will adapt to the standard once it has traction elsewhere. [If someone pays my T&L, I would be happy to facilitate a session in Paris in April!] Thank you for your indulgence. Jeff -- Jeff Stollman stollman.j at gmail.com 1.610.640.4115 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.projectliberty.org/pipermail/sig-ia_lists.projectliberty.org/attachments/20080209/8bd573b8/attachment.html From joni at ieee-isto.org Wed Feb 13 09:32:03 2008 From: joni at ieee-isto.org (joni at ieee-isto.org) Date: Wed, 13 Feb 2008 09:32:03 -0800 Subject: [Sig-ia] SIG IA Kick off meeting minutes - Posted on Wiki Message-ID: Hello, The Identity Assurance SIG kick off meeting minutes have been posted on the IA SIG wiki here: http://wiki.projectliberty.org/index.php/IASIG (click 'meeting minutes') or via this direct link: http://wiki.projectliberty.org/index.php/January20080130 Cheers, Joni Brennan IEEE-ISTO Liberty Alliance Project Operations Manager voice:+1 732-226-4223 email: joni at projectliberty.org From stollman.j at gmail.com Fri Feb 22 03:22:06 2008 From: stollman.j at gmail.com (j stollman) Date: Fri, 22 Feb 2008 06:22:06 -0500 Subject: [Sig-ia] IA Framework references to US Government documents Message-ID: All, In the aftermath of Wednesday's teleconference, it occurs to me that we might benefit from changing the spin on references to US Government documents in the IA Framework. Rather than including the reference in the text which gives a decidedly US-centric tone to the document, we could substitute terms such as "IAEG-approved standard. (The current list of standards is included in Appendix A.)" In this way, we still leverage the utility and credibility of the standards which the team believes are widely accepted internationally, without making the document explicitly state it. Furthermore, the document would remain unchanged when someone convinces us that another standard is of equal or greater than the standards that we include in our initial document. We merely update the Appendix. For example, here is a current section: *AL3_CO_SCO#020 Protection of secrets* Ensure that: a) access to shared secrets shall be subject to discretionary controls that permit access to those roles/applications requiring such access. b) stored shared secrets are encrypted such that: i the encryption key for the shared secret file is encrypted under a key held in a FIPS 140-2 [FIPS140-2 <#FIPS1402>] <#_msocom_1> Level 2 (or higher) validated hardware cryptographic module or any FIPS 140-2 Level 3 or 4 cryptographic module and decrypted only as immediately required for an authentication operation. This would become: *AL3_CO_SCO#020 Protection of secrets* Ensure that: a) access to shared secrets shall be subject to discretionary controls that permit access to those roles/applications requiring such access. b) stored shared secrets are encrypted such that: i the encryption key for the shared secret file is encrypted under a key held in an IAEG-approved Level 2 (or higher) validated hardware cryptographic module and decrypted only as immediately required for an authentication operation. (The IAEG-approved cryptographic standards are listed in Appendix A.) While the meaning of the section remains unchanged, I think that document becomes much more universal with this format change. Jeff -- Jeff Stollman stollman.j at gmail.com 1.610.640.4115 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.projectliberty.org/pipermail/sig-ia_lists.projectliberty.org/attachments/20080222/1074fdf4/attachment.html From jgross at wellsfargo.com Fri Feb 22 12:46:38 2008 From: jgross at wellsfargo.com (jgross at wellsfargo.com) Date: Fri, 22 Feb 2008 14:46:38 -0600 Subject: [Sig-ia] IA Framework references to US Government documents References: Message-ID: I appreciate the intent, Jeff. But, I believe it is a step back. FIPS (NIST standards) are referenced many, many times in product specifications to affirm compliance to standards. I am in favor of adding additional standards that are also sufficiently developed and accepted that may be more acceptable outside US---but the value of this program is in a readily certification process. A more general and vague reference does not serve that purpose, in my opinion. --Jim Jim Gross WELLS Sr. Vice President FARGO WellsSecure Identity Assurance One Front Street, 20th Floor, MAC A0195-204 San Francisco, CA USA 94111 Voice: (415) 222-5007/Fax: (415) 788-3039 jgross at wellsfargo.com This e-mail transmission, and any documents, files or previous e-mail messages attached to it, may contain confidential information that is privileged, or prohibited from disclosure under confidentiality agreement or applicable law. If you are not the intended recipient, or a person responsible for delivering it to the intended recipient, you are hereby notified that any disclosure, copying, distribution or use of this transmission or any of the information contained in or attached to this transmission is STRICTLY PROHIBITED. If you have received this transmission in error, please immediately notify the sender by reply e-mail and destroy the original transmission and its attachments without reading them or saving them to disk. Thank you. P Please consider the environment before printing this e-mail _____ From: sig-ia-bounces at lists.projectliberty.org [mailto:sig-ia-bounces at lists.projectliberty.org] On Behalf Of j stollman Sent: Friday, February 22, 2008 3:22 AM To: sig-ia at lists.projectliberty.org Subject: [Sig-ia] IA Framework references to US Government documents All, In the aftermath of Wednesday's teleconference, it occurs to me that we might benefit from changing the spin on references to US Government documents in the IA Framework. Rather than including the reference in the text which gives a decidedly US-centric tone to the document, we could substitute terms such as "IAEG-approved standard. (The current list of standards is included in Appendix A.)" In this way, we still leverage the utility and credibility of the standards which the team believes are widely accepted internationally, without making the document explicitly state it. Furthermore, the document would remain unchanged when someone convinces us that another standard is of equal or greater than the standards that we include in our initial document. We merely update the Appendix. For example, here is a current section: AL3_CO_SCO#020 Protection of secrets Ensure that: a) access to shared secrets shall be subject to discretionary controls that permit access to those roles/applications requiring such access. b) stored shared secrets are encrypted such that: i the encryption key for the shared secret file is encrypted under a key held in a FIPS 140-2 [FIPS140-2] Level 2 (or higher) validated hardware cryptographic module or any FIPS 140-2 Level 3 or 4 cryptographic module and decrypted only as immediately required for an authentication operation. This would become: AL3_CO_SCO#020 Protection of secrets Ensure that: a) access to shared secrets shall be subject to discretionary controls that permit access to those roles/applications requiring such access. b) stored shared secrets are encrypted such that: i the encryption key for the shared secret file is encrypted under a key held in an IAEG-approved Level 2 (or higher) validated hardware cryptographic module and decrypted only as immediately required for an authentication operation. (The IAEG-approved cryptographic standards are listed in Appendix A.) While the meaning of the section remains unchanged, I think that document becomes much more universal with this format change. Jeff -- Jeff Stollman stollman.j at gmail.com 1.610.640.4115 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.projectliberty.org/pipermail/sig-ia_lists.projectliberty.org/attachments/20080222/497ee9bb/attachment-0001.html From altermap at mail.nih.gov Mon Feb 25 05:53:14 2008 From: altermap at mail.nih.gov (Alterman, Peter (NIH/CIT) [E]) Date: Mon, 25 Feb 2008 08:53:14 -0500 Subject: [Sig-ia] IA Framework references to US Government documents In-Reply-To: References: Message-ID: <8C40DAAF38B0A84C9312702FA41930EA04805165@NIHCESMLBX3.nih.gov> In general, Jeff's language suggestions are reasonable. Where specific standards are invoked, I agree with Jim. FIPS 140 is a de facto global standard at this point. If in future there is an EU-sanctioned standard identified, then we could move to generalize (or more likely add) that language, too. ---------------------------------------------- Peter Alterman, Ph.D. Asst. CIO for EAuthentication, NIH and Chair, Federal PKI Policy Authority Cell: 301-252-8846 ________________________________ From: jgross at wellsfargo.com [mailto:jgross at wellsfargo.com] Sent: Friday, February 22, 2008 3:47 PM To: stollman.j at gmail.com; sig-ia at lists.projectliberty.org Subject: Re: [Sig-ia] IA Framework references to US Government documents I appreciate the intent, Jeff. But, I believe it is a step back. FIPS (NIST standards) are referenced many, many times in product specifications to affirm compliance to standards. I am in favor of adding additional standards that are also sufficiently developed and accepted that may be more acceptable outside US---but the value of this program is in a readily certification process. A more general and vague reference does not serve that purpose, in my opinion. --Jim Jim Gross WELLS Sr. Vice President FARGO WellsSecure Identity Assurance One Front Street, 20th Floor, MAC A0195-204 San Francisco, CA USA 94111 Voice: (415) 222-5007/Fax: (415) 788-3039 jgross at wellsfargo.com This e-mail transmission, and any documents, files or previous e-mail messages attached to it, may contain confidential information that is privileged, or prohibited from disclosure under confidentiality agreement or applicable law. If you are not the intended recipient, or a person responsible for delivering it to the intended recipient, you are hereby notified that any disclosure, copying, distribution or use of this transmission or any of the information contained in or attached to this transmission is STRICTLY PROHIBITED. If you have received this transmission in error, please immediately notify the sender by reply e-mail and destroy the original transmission and its attachments without reading them or saving them to disk. Thank you. P Please consider the environment before printing this e-mail ________________________________ From: sig-ia-bounces at lists.projectliberty.org [mailto:sig-ia-bounces at lists.projectliberty.org] On Behalf Of j stollman Sent: Friday, February 22, 2008 3:22 AM To: sig-ia at lists.projectliberty.org Subject: [Sig-ia] IA Framework references to US Government documents All, In the aftermath of Wednesday's teleconference, it occurs to me that we might benefit from changing the spin on references to US Government documents in the IA Framework. Rather than including the reference in the text which gives a decidedly US-centric tone to the document, we could substitute terms such as "IAEG-approved standard. (The current list of standards is included in Appendix A.)" In this way, we still leverage the utility and credibility of the standards which the team believes are widely accepted internationally, without making the document explicitly state it. Furthermore, the document would remain unchanged when someone convinces us that another standard is of equal or greater than the standards that we include in our initial document. We merely update the Appendix. For example, here is a current section: AL3_CO_SCO#020 Protection of secrets Ensure that: a) access to shared secrets shall be subject to discretionary controls that permit access to those roles/applications requiring such access. b) stored shared secrets are encrypted such that: i the encryption key for the shared secret file is encrypted under a key held in a FIPS 140-2 [FIPS140-2] Level 2 (or higher) validated hardware cryptographic module or any FIPS 140-2 Level 3 or 4 cryptographic module and decrypted only as immediately required for an authentication operation. This would become: AL3_CO_SCO#020 Protection of secrets Ensure that: a) access to shared secrets shall be subject to discretionary controls that permit access to those roles/applications requiring such access. b) stored shared secrets are encrypted such that: i the encryption key for the shared secret file is encrypted under a key held in an IAEG-approved Level 2 (or higher) validated hardware cryptographic module and decrypted only as immediately required for an authentication operation. (The IAEG-approved cryptographic standards are listed in Appendix A.) While the meaning of the section remains unchanged, I think that document becomes much more universal with this format change. Jeff -- Jeff Stollman stollman.j at gmail.com 1.610.640.4115 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.projectliberty.org/pipermail/sig-ia_lists.projectliberty.org/attachments/20080225/d96916f8/attachment.html From john at ichnet.org Mon Feb 25 09:58:13 2008 From: john at ichnet.org (John Weiler) Date: Mon, 25 Feb 2008 12:58:13 -0500 Subject: [Sig-ia] IA Framework references to US Government documents; Concurrance from ICH In-Reply-To: <8C40DAAF38B0A84C9312702FA41930EA04805165@NIHCESMLBX3.nih.gov> Message-ID: <025301c877d8$009b2cf0$0b01a8c0@johnr6wdlosmlr> Peter, Jeff, Jim, As a govt chartered research institute focusing on commercial standards and technologies, we concur with the recommendation. ICH is working on a DoD wide Assessment Framework that maps triangulates standards, system requirements and available technologies. Our plan is to incorporate these IA capabilities into the Architecture Assurance Method and resulting DoD Architecture products. We would very much like to have a high level set of associated IA Capabilities and Services Component specifications that can be incorporating into on-going DoD IT programs. Does this make sense? john John Weiler, Executive Director john at ICHnet.org Interoperability Clearinghouse, home of; SOA Capability Broker Institute for Information Sharing Architecture Assurance Method (AAM) (v) 703-768-0400 (c) 703-863-3766 (f) 703-765-9295 www.ICHnet.org Assuring the business value of technology -----Original Message----- From: sig-ia-bounces at lists.projectliberty.org [mailto:sig-ia-bounces at lists.projectliberty.org] On Behalf Of Alterman, Peter (NIH/CIT) [E] Sent: Monday, February 25, 2008 8:53 AM To: jgross at wellsfargo.com; stollman.j at gmail.com; sig-ia at lists.projectliberty.org Subject: Re: [Sig-ia] IA Framework references to US Government documents In general, Jeff's language suggestions are reasonable. Where specific standards are invoked, I agree with Jim. FIPS 140 is a de facto global standard at this point. If in future there is an EU-sanctioned standard identified, then we could move to generalize (or more likely add) that language, too. ---------------------------------------------- Peter Alterman, Ph.D. Asst. CIO for EAuthentication, NIH and Chair, Federal PKI Policy Authority Cell: 301-252-8846 _____ From: jgross at wellsfargo.com [mailto:jgross at wellsfargo.com] Sent: Friday, February 22, 2008 3:47 PM To: stollman.j at gmail.com; sig-ia at lists.projectliberty.org Subject: Re: [Sig-ia] IA Framework references to US Government documents I appreciate the intent, Jeff. But, I believe it is a step back. FIPS (NIST standards) are referenced many, many times in product specifications to affirm compliance to standards. I am in favor of adding additional standards that are also sufficiently developed and accepted that may be more acceptable outside US---but the value of this program is in a readily certification process. A more general and vague reference does not serve that purpose, in my opinion. --Jim Jim Gross WELLS Sr. Vice President FARGO WellsSecure Identity Assurance One Front Street, 20th Floor, MAC A0195-204 San Francisco, CA USA 94111 Voice: (415) 222-5007/Fax: (415) 788-3039 jgross at wellsfargo.com This e-mail transmission, and any documents, files or previous e-mail messages attached to it, may contain confidential information that is privileged, or prohibited from disclosure under confidentiality agreement or applicable law. If you are not the intended recipient, or a person responsible for delivering it to the intended recipient, you are hereby notified that any disclosure, copying, distribution or use of this transmission or any of the information contained in or attached to this transmission is STRICTLY PROHIBITED. If you have received this transmission in error, please immediately notify the sender by reply e-mail and destroy the original transmission and its attachments without reading them or saving them to disk. Thank you. P Please consider the environment before printing this e-mail _____ From: sig-ia-bounces at lists.projectliberty.org [mailto:sig-ia-bounces at lists.projectliberty.org] On Behalf Of j stollman Sent: Friday, February 22, 2008 3:22 AM To: sig-ia at lists.projectliberty.org Subject: [Sig-ia] IA Framework references to US Government documents All, In the aftermath of Wednesday's teleconference, it occurs to me that we might benefit from changing the spin on references to US Government documents in the IA Framework. Rather than including the reference in the text which gives a decidedly US-centric tone to the document, we could substitute terms such as "IAEG-approved standard. (The current list of standards is included in Appendix A.)" In this way, we still leverage the utility and credibility of the standards which the team believes are widely accepted internationally, without making the document explicitly state it. Furthermore, the document would remain unchanged when someone convinces us that another standard is of equal or greater than the standards that we include in our initial document. We merely update the Appendix. For example, here is a current section: AL3_CO_SCO#020 Protection of secrets Ensure that: a) access to shared secrets shall be subject to discretionary controls that permit access to those roles/applications requiring such access. b) stored shared secrets are encrypted such that: i the encryption key for the shared secret file is encrypted under a key held in a FIPS 140-2 [FIPS140-2 <> ] Level 2 (or higher) validated hardware cryptographic module or any FIPS 140-2 Level 3 or 4 cryptographic module and decrypted only as immediately required for an authentication operation. This would become: AL3_CO_SCO#020 Protection of secrets Ensure that: a) access to shared secrets shall be subject to discretionary controls that permit access to those roles/applications requiring such access. b) stored shared secrets are encrypted such that: i the encryption key for the shared secret file is encrypted under a key held in an IAEG-approved Level 2 (or higher) validated hardware cryptographic module and decrypted only as immediately required for an authentication operation. (The IAEG-approved cryptographic standards are listed in Appendix A.) While the meaning of the section remains unchanged, I think that document becomes much more universal with this format change. Jeff -- Jeff Stollman stollman.j at gmail.com 1.610.640.4115 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.projectliberty.org/pipermail/sig-ia_lists.projectliberty.org/attachments/20080225/9b99e49c/attachment-0001.html